By: Judith Horstman
HIPAA may seem a lot like death and taxes: unpleasant, inevitable, and something we'd just as soon put off as long as possible.
So if you aren't up to speed in complying with HIPAA (the Health Insurance Portability and Accountability Act), you are not alone. And you probably aren't alone in feeling the administrative work required to be in compliance is taking time away from your practice and your patients.
There's no doubt HIPAA compliance means major changes for doctors and other health professionals, both administratively and in the way you practice medicine. Overall, the security rules apply to the way electronic patient-related information is handled, stored and protected. The privacy rules, however, apply to all individually identifiable patient information, in whatever way it is stored.
Here's a way to put a positive spin on compliance. HIPAA is requiring health care providers to do what is in their best interest anyway: to implement security and privacy measures to protect your most valuable asset—your data.
The major HIPAA issues are actually the same as those you face in handling any sensitive data, but now with a governance. They are:
| • |
Data storage and retrieval |
| • |
Data security |
| • |
Data privacy |
What HIPAA requires?
Basically, the Department of Health and Human Services (HHS) has established standards and rules for doctors and medical practices about:
| • |
Electronic data, including patient health, administrative and financial information |
| • |
Unique health identifiers for individuals, employers, health plans and health care providers |
| • |
Security standards protecting the confidentiality and integrity of "individually identifiable health information, past, present or future" |
But while the HIPAA Security Rule describes what providers should do to implement the requirements and recommendations, it doesn't say how to do it.
HIPAA's privacy rule states a designated privacy officer must be assigned, but many may not have the expertise needed to fully implement a compliant structure. Experts have advised health care professionals to turn HIPAA-related matters over to a trusted advisor, but this sounds easier than it is.
Where to turn?
You've probably been getting solicitations and advertisements for many types of HIPAA-related services, from consultants to courses to guidebooks to in-office training for your staff.
Small practices may not need to hire a full-time consultant. But your office could probably use some help. Many professional organizations, such as the American Medical Association, offer books, courses and other resources, including a publication called "How to HIPAA- 10 Top Tips".
The AMA also has an anonymous and confidential form to complain about other organizations that are out of compliance.
Among some of the solutions to make compliance less painful and more effective, HP offers a custom assessment service that can evaluate your individual situation, assign a HIPAA certified project manager to serve as the single point of contact for your HIPAA transition—from start to finish—and give you the tools to reduce the costs and business impact of HIPAA compliance. Along the way, many health care professionals also uncover problems with business practices or procedures that they were able to improve during their privacy and security compliance investigation.
Start with the basics
While HP offers a full range of sophisticated protections, the HP security experts advise starting with the basics. The simplest precautions are your first line of defense and can help enable compliance.
| • |
Create a security policy for your office. A clear set of written guidelines on how data will be handled and secured tells your staff what standards you expect. |
| • |
Secure workstations and equipment. It sounds basic, but easily-portable information equipment—from your PDA to your notebook—should not be left unguarded or in public areas. |
| • |
Use password protection. Many computers are in public places or work stations where sensitive materials could be viewed by unauthorized persons. Passwords protect data. |
| • |
Enable virus protection. Get a good anti-virus protection plan, update it regularly, and use it, scheduling regular scans of your equipment. |
Now that many health care organizations are on some type of network—small or large, wired or wireless—it is essential to set up a network security policy to keep data secure, and taking some basic steps above can make a world of difference. A major advantage of digital data is being able to network to find what you need when you need it. Wireless capability has made networking even more advantageous—but opened areas of potential security risk. So take the appropriate steps to setting up a secure wireless environment.
Taking security to the next level
The next level of electronic security brings in the digital watchdogs, from hard-drive protection to biometric fingerprint ID.
Biometric capability sounds like something out of a "Mission Impossible" movie, and may strike you as something only large firms are able to use. However, technology has expanded to all segments of the market, making sophisticated tools affordable for small businesses.
With the potential for hackers to find ways to break password codes, the uniqueness of someone's fingerprint provides an added layer of security that deters unauthorized access.
But what happens when your device is stolen? Is the data accessible through the hard drive? Technologies such as HP's Drive Lock helps prevent the data on your hard drive from being compromised, even if your notebook or Tablet PC is lost or stolen. Other options include an integrated Smart Card Reader and a TPM (Trusted Platform Module) Embedded Security Chip.
Protecting the back bone
Authentication of data is a requirement for HIPAA compliance. Do you know who has been viewing or retrieving your patient data, and what (if any) changes have been made? Ensuring the authentication and integrity of the data—showing it has not been altered or accessed by unauthorized staff—is a main component that should not be overlooked.
But does this mean you have to set up yet another complex security level for your practice? Not at all. Server and storage technologies today have functionalities built in so it is easy to implement and manage. Again, thinking beyond HIPAA, in the unfortunate circumstance where you are required to produce proof of authentication or integrity of data in a malpractice suit, these built in features can make the process go faster and smoother.
Regardless of HIPAA requirements, being able to continue business as usual is the goal of every owner-and safe data storage is vital. It means your data is protected, and you could continue seeing patients if a disaster—small or large—occurred. For example, a fire this July destroyed a medical office building in Sacramento, Calif. A dialysis service that stored dialysis-related patient records online was able to continue patient services at another site,while a prenatal diagnosis clinic lost everything, including test results and patient records.
Using devices such as servers, or tape and online storage, you can protect and back-up data, ensuring your practice could continue its day-to-day activities. Electronic online storage, called e-vaulting, offers 24/7 continuous online backup and protection of your data, and makes current data always available. While this may sound like a costly service for big business only, in fact it is specifically configured and priced for smaller practices.
Next steps towards compliance: |
|
|
| • |
Call an HP expert at 800-888-8380 (mention code HLTH) to discuss options, and get information about certified security specialists. |
| • |
Check with your medical association for advice and HIPAA-smart tools. |
| • |
Go to the source: The Department of Health and Human Services has more than you ever want to know about HIPAA |
|
|
|
Printable version
